Feb 15, 2022 by Charles Beumier | 1742 views
The smartphone has become so important in daily life that users should be concerned about its security. We try to explain here some reasons to be or not to be afraid about disclosing the IMSI, the subscriber identity number used in the global telecommunication network.
The smartphone is one of the objects which receives the largest attention due to its portability, ease of use, plethora of functionalities and key importance for human relation. It is more and more the preferred channel to access private information through e-mail messages or social networks or to realize crucial operations in the financial or administrative worlds.
For identification in the telecommunication network, there is a unique 15-digit number called IMSI (International Mobile Subscriber Identity), attached to each subscription. This number is contained in the SIM card and in the database of the mobile network operator. During connection to the net, the IMSI is used to grant access to the global network thanks to an authentification procedure after which a TMSI (temporary identity) is preferred for network exchange in order to lower the risk of IMSI capture by malicious people. Later, an IMSI is sometimes used to identify on which susbscription to operate some SS7 action.
IMSIs are part of the Global System for Mobile Communications, designed when operators had little reason to fear attacks on their network. But in the late 90's, the number of operators increased from telecom deregulation and the Internet Protocol was added as a way to exchange communications and signalling between equipments. About 12 years later, several research groups began to publish about vulnerabilities of the SS7 protocol suites, designed in the 70's for the signalling between telco equipments. They demonstrated the possibility to locate mobile phones, to read SMS, to eavesdrop calls, commit fraud through subscription modification or to apply a Denial of Service.
As mentioned in a report of Positive Technologies about SS7 vulnerabilities (https://www.gsma.com/membership/wp-content/uploads/2018/07/SS7_Vulnerability_2017_A4.ENG_.0003.03.pdf), the first step for most SS7 attacks is the gathering of IMSI numbers. From this importance, IMSI collection is by itself a profit-making activity and IMSI lists can be found on the black market.
However, a mobile telephone number (MSISDN) may also suffice to perform attacks, probably thanks to the collected IMSI black market lists, or thanks to SS7 vulnerabilities which might return the IMSI corresponding to a MSISDN. Some unscrupulous companies sell tracking information or SMS content for any given MSISDN. There exist also the IMSI-catchers, fake antennas normally designed for law enforcement, which mimic a GSM antenna to collect IMSI numbers and potentially listen to conversations (if they can decrypt them), playing Man-in-the-Middle. These fake antennas can even reject a 4G connection and ask for 3G or 2D downgrade, less resilient to attacks.
The situation may be summarized like this: as long as you are not a VIP (whose communication data and movement are valuable), your chance to be a target is little except from bad luck, if you are part of some telephone list. On the contrary, if you are a target, your IMSI will probably be acquired in some way to prepare an attack and there is little you can do about this. Your main defense can be to use communication channels other than your smartphone, and switch it off when you fear to be tracked.
Mobile network security should be improving over time. Compared to 2G, 3G added the authentication of the network by phones when they connect, complicating the work of fake antennas or the possibility of spoofing network equipment. The 4G has replaced SS7 by DIAMETER, but 2G and 3G networks are still heavily used and must be kept for backward compatibility of telecom and user equipment. Researchers also pointed out vulnerabilities in DIAMETER, even though this technology is currently less attacked. Research results and the General Data Protection Regulation have pushed the operators to improve the security of their networks, for instance by implementing firewalls and performing penetration tests and audits.
This blog post is licensed under CC BY-SA 4.0